Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

thusfar's avatar

TokenMismatchException in VerifyCsrfToken.php line 67

So I'm using Spark. And I've been using it for days working on my project. No problem.

Today, I power up Homestead, visit my website, try to login and I get: TokenMismatchException in VerifyCsrfToken.php line 67

Just out of the blue.

I get this error on POST /login route, which is defined by Spark and which is defined INSIDE 'web' middleware. I logged in many times before, without issues.

Now, I searched this topic here on forums, on google, even Spark github repository. Tried many solutions I've found, but no help.

What I've tried:

  • check if my "login" route uses 'web' middleware
  • clearing cache
  • generating new key
  • putting all of my routes inside 'web' middleware
  • checking if _token was send during POST request
  • checking the 'login' view for the usage of CSFR which is defined like this {{ csrf_field() }}
  • checking if HTML is generated for CSFR

Although, I've noticed inside POST request on 'login' route that these two are different. Maybe they should be? I'm not sure.

// inside request headers
Cookie:XSRF-TOKEN=eyJpdiI6IkZIVUJ2RURlMXhpOThDN3llUWNabFE9PSIsInZhbHVlIjoiQ3hNalZ0Zjh2MnBVSm9HdnpWSzFcL1ZrbVkwNXlZQUVqbGVUd2JGNUNhOTgyZ1ZERjhPQU5Uczdhb2FTQVRQY3U2TXYyZTVVNXplYklZWmdpSnN4U1h3PT0iLCJtYWMiOiJmNGMzZjZhNmI5NjQ1ND ....to be continued

// form data
_token:KFymm26nxRJXiWctbGnZuNwkgioHLr4beYNxfVts

Anyhow, I'm without ideas here. I have no idea what to do!? I would appreciate any help. And P.S. what pisses me the most is the last time it worked fine and now all of the sudden this error show up.

0 likes
3 replies
Snapey's avatar

Did the error show once or is it repeatable?

Personally, I favour excluding csrf from login pages as a) it has no benefit in this context, and, b) people tend to leave the site on the login screen, and then it does not work when they come back after the session expiry time.

thusfar's avatar

It is repetable on Login screen/view.

But I found something interesting. On login view, VueJS code is loaded and on each load there is AJAX request made to the API endpoint route. That endpoint requires 'auth' middleware so of course on Login screen it returns 401 (Unauthorized) because it is not authenticated. Logic.

When I remove that route from routes.php everything works fine. Good to know. I fixed my problem.

But I'm still interested to why that happens. So if AJAX call on Login screen returns 401 (Unauthorized), you submit form and you get TokenMismatchException in VerifyCsrfToken.php line 67 errror.

What is the logic behind it?

innominata's avatar

Just had this same error. Your discovery helped me fix it.

In my app.js (the main Spark.js loader) I had a function to initialize some data my app uses for every page. I added

if (Spark.userId) { this.getData(); }

to make sure there is a logged in user before doing any ajax requests.

Thanks!

Please or to participate in this conversation.